Security Through Boredom

Menu

Post navigation

Chrome Stable Shipping With Vulnerable Flash Player

Google Chrome 23 was just released to the stable channel with some notable security fixes. It’s also shipping out with a vulnerable Flash Player. Chrome bundles its PPAPI Flash Player into updates, which usually means users are patched more quickly or even before official patches are out. The PPAPI Flash plugin also runs in a very restrictive sandbox, on Windows it runs at an Untrusted Integrity Level with job tokens applied to it, and on Linux it runs with the BPF Sandbox among other things.

While this typically means users are ahead of patches, in this case Google fell behind. Users shouldn’t worry too much, even if they did land on an exploit page for the vulnerability (and I don’t believe any are currently in the wild) the sandbox is very strong and they’d be protected from infection.